On the backside

 

Image from Pixabay

Alarm! Nine viruses were found on a user's laptop! The virus scanner actually had too little information about a few of those infected files, but about several others it reported: we have already seen this file with hundreds of customers and we are pretty sure that the file is unreliable. Fortunately, the scanner has quarantined the files and they can no longer do any harm. The fire was extinguished before it could really break out.

We usually do not lose sleep over these types of reports; we see them dozens of times a week and they are neatly handled automatically. Exactly as a virus scanner should do. 'Virus scanner' is a somewhat old-fashioned name, which I only use here because it is commonplace. 'Malware scanner' is already better, because the term encompasses more than just viruses: malware is the contraction of 'malicious' and 'software'. In addition to computer viruses, the term malware also includes keyloggers (which secretly record your keystrokes), spyware (collects information about you), and backdoors (allow a hacker to illegally access your system), to name a few. Vendors nowadays like to talk about an 'endpoint protection platform' and by that they mean the protection of all end-user equipment in an organization – not just laptops, but also tablets, smartphones and printers, for example. The computer industry likes old wine in new bottles.

Anyway, for one reason or another, those nine reports caught the attention of a colleague, who decided to call the user in question. The reports implied that the infected files were on a USB device, but the user claimed, hand on heart, that he did not have a USB stick in his laptop. After some further questioning, it turned out that he had connected the laptop to a screen at home via a KVM switch (with a KVM switch (Keyboard, Video, Mouse) you can connect several computers to one screen, keyboard and mouse; you can easily switch between the different computers). But there was no USB stick in that KVM switch either. Finally, after some research, it turned out that the screen itself also had a USB port, and there the virus-infested USB stick was sitting.

The incident nicely illustrates that the truth is not always on the surface. If you were to rely solely on the information provided by the scanner, you would conclude that there is a USB stick with infected files in the laptop. And if the user says that's not true, you don't believe him. Whereas in this case the user was in good faith and patiently cooperated to assist my tenacious colleague. Unfortunately, we don't know how that infected USB stick got into the monitor.

There is one other thing that needs attention here. There are quite a few devices that have USB ports. Traditionally we know them from computers, but screens can also be equipped with them, and our TV, which is connected to the Wi-Fi network, also has a few. With these types of devices, they are usually located at the back and are therefore out of sight. This offers opportunities for people with less good intentions: in an unguarded moment they can simply insert a USB stick that contains software that you would rather not have at home. Now the employee in question was not authorized to use USB sticks, but the USB stick was seen by Windows.

It calls for vigilance. Do you always know exactly where you connect your laptop? And what's behind that, and what's on the backside? What do your housemates do with equipment that you also use for work? It can do no harm to make them aware that USB sticks can contain malicious files and that they should always be scanned before opening the files. This is not only in the interest of you and your housemates as private users, but also in the interest of your employers in the case of shared use of equipment. Everyone in the house should take that into account.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Of course there is also malware for your Mac.
• a supply chain chain reaction has taken place.
• China spies on us on a large scale, including digitally. [DUTCH]
• the British fear spyware and hacking mercenaries.
• the Dutch Football Association is struggling with a ransomware attack. [DUTCH]
• routers also need to be cleaned before they are scrapped.
• cybercriminals trade in stolen accounts for ChatGPT.
• employees put confidential company information in ChatGPT.

 

A year without internet

 

Image from Pixabay

It was a pleasant spring day, that April 14, 2022. Sunny, light wind, twenty degrees (68 °F). But the day started foggy. Not only from a meteorological point of view, also digitally. At 7:53 am the internet started to malfunction. An hour later all screens were black. Worldwide. That was a year ago. The internet is still broken, despite all the smart cyberheads who have weighed in on this. We've been thrown back, cyber-wise, to the floppy era.

Could such a horror scenario ever materialize? At the risk of the wish being father to the thought: I don't think so. After all, the internet is designed to survive the failure of part of the network. It has no all-important component that, if it fails, shuts down the entire Internet. The design has a military background, where availability was of the utmost importance, and this mechanism is of course also very useful in civilian society. Despite the improbable nature of this figment of my imagination, I would like to pretend that the first paragraph actually happened for the duration of this blog. In terms of information security, you could say dryly that there is an availability problem. That's nice, but that observation won't help you much if you can't pull out a recovery plan that lives up to its title.

I try to comprehend what the prolonged absence of the internet would mean. Let me take a look at myself first. For starters, I wouldn't be sitting at my desk at home right now, but in the office. Five days a week. Because working from home without internet is not possible. Well, of course I could write a blog or a memo, save it on my laptop and put it on the intranet at the office (sorry external readers, no blog for you). But that online meeting that I had this morning, that really couldn't have been done. I would have cycled to the office through the cold spring sun. Speaking of cold: without the internet I really wouldn't have known what the weather was like a year ago, and I couldn't have started this blog with the weather report from then.

It's fifteen minutes by bike for me and I find my office blindly, but suppose I had to go to an unknown destination. Would my navigation have worked? Yes and no. GPS is separate from the internet; it comprises a bunch of satellites in orbit and an antenna in my navigation device that picks up the signal from those satellites. So I know where I am and which way I'm going. However, without internet I have no current maps. If I'm lucky, the necessary maps will be in the system. If not, I have to provide the coordinates to tell the system where I want to go. But how do I find out? And I miss up-to-date traffic information anyway, so I may end up in a big traffic jam and arrive too late at my destination.

Well, I still have some old paper road maps lying around somewhere and the signposts haven't been abolished yet either; I would find my way completely without electronics. For digital natives – young people who were born with a smartphone in their hands, who don't even realize there was ever an internet-free era – analogue navigation could be a big challenge. They don't even know how to unfold a map, so to speak, and they see right through signposts.

The demand for many types of personnel would explode. Webshops no longer work - you have to go to the store for everything, which means that they need more staff. Fortunately, there are suddenly many redundant people at the distribution centers of large webshops. The tax return has to be on paper like in the old days, and all that paperwork has to be processed manually. Where do you get so many well-trained tax officials? If I want an appointment at the dentist, the barber or a restaurant, I have to call – fortunately we have not yet shut down our telephone networks under the guise of “there’s Skype and WhatsApp, who needs POTS?” (Plain Old Telephone System).

Travel agencies would shoot up like mushrooms. Because we can no longer book a nice holiday from our easy chair. You have to plan your holiday well in advance, because the travel agency has to send a paper application to the tour operator and in the meantime you have to keep your fingers crossed, because the travel agency cannot check availability online either.

And my work? That continues. Because luckily we have our own large data center, in which the systems run that our own army of IT specialists makes and maintains. We have years of work to do on that. Because security is a process, right? We throw all our energy into this job, without distraction from external emails and social media. And we only hear the news of the day in the evening, when we watch the news via the hastily restored analogue cable TV.

Well, I'm going to drop this blog in de pillar-box.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• smaller pieces of internet regularly fail for shorter or longer periods of time. [2 different articles.]
• you can see at a glance what is broken, and for how long, here.
• things are not so good for phishers in the Netherlands. [DUTCH]
• the impact of encryption on policing cannot be determined. [DUTCH]
• DdoS criminals have already had enough of IoT devices, they are moving to cloud servers.
• criminal service providers put your rogue app in Google Play for a few thousand dollars.
• you should hope that you never have to have a computer or smartphone repaired. [Ignore the commercial message at the end of the article; the story itself is relevant.]
• Artificial intelligence poses a threat to digital security.
• long passwords are more important than ever in the AI era. [Please note: I disagree with advice No. 2 in this article, and No. 3 is shaky.]

DPSTAP

Image from Pixabay

Every ICT specialist knows that, if you have made or changed something, you first have to test whether everything (everything!) still works. In a professional environment we have a multi-stage mechanism for this, which we cherish under the abbreviation DTAP: Development, Testing, Acceptance, Production. This week I heard a variation on this abbreviation that first made my ears pop and then put a big grin on my face.

That variant is DPSTAP and that stands for: Development, Production, Shit it doesn't work, Test anyway, Acceptance, Production. I heard this during a risk analysis. In a session like that we discuss what can go wrong and how bad that is, and one of the regular topics is: someone makes a mistake, what measures have been taken to ensure that this is discovered in time and therefore can cause no damage? In all the risk analyses that I have supervised so far – and there are quite a few – those present triumphantly shouted in unison on this point: DTAP!

And that was really all said. We develop something, we do a thorough test, the customer does an acceptance test and only when everyone is satisfied the new system or new version can go into production. If errors still come to light, the product goes back to the development phase. A solid working method that is in the DNA of all IT professionals and that is so self-evident that we rarely ask ourselves whether a team really works in this way all the time. Or whether shortcuts are taken, once in a while or perhaps even structurally.

That is, until this week. After all these years someone finally dared to say that apparently sometimes a makeshift path is followed – and not even necessarily with himself, I think. It couldn't be any other way, really. I do realize that the pressure to deliver on time can sometimes be so great that you have to make a choice between being ready on time or following the official route. If you opt for the former, as a conscientious employee you will then have to wait a few days or weeks to see if everything continues to go well, biting your nails.

The more you use such a shortcut, the easier it may become. And then it could become risky. You might find yourself on a slippery slope to heedlessness, perhaps even indifference. In an organization as large as ours, I cannot rule out the possibility that there may be some colleagues who have never been at the top of a slippery slope, who naturally always choose the easiest path. I know a lot of colleagues, and I haven't met one yet who made me think: there's one of those. But statistically I can't rule out that they are around. Perhaps they are kept in the lee of their team and, for example, are not appointed to participate in risk assessments and other activities in which I am involved. To these people – and to their managers – I want to say: straighten your back, stand by your craftsmanship and make sure that you do not become a risk to our business operations yourself. You may need a (refresher) course. Or – be honest with yourself – different work.

I also learned from this. I'm getting stricter. Even more than now I will go on asking questions, even when I speak to colleagues who I know for sure are very committed to security. Do you really always do it this way, or do you occasionally do DPSTAP? If you dare to admit that, you will earn bonus points. Because you then state that there might be a risk somewhere, and we can only do something about it if we know it. It also marks the difference between running risks (which happens unconsciously) and taking risks (consciously and based on trade-offs).

Finally, a special greeting from this place to one of my most loyal readers: my mother. She turned ninety today. Congratulations!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you may be a victim of a global cybercrime case.
• a Dutchman lost a considerable amount of money because of this matter. [DUTCH]
• you can't afford to remain silent after a major data breach, the judge says. [DUTCH]
• April is Seniors and Safety Month, with a dedicated campaign website. [DUTCH]
• you should not use security tools for criminal purposes.
• Tesla employees shared footage your car took, and they joked about it.
• IoT device manufacturer Nexx has not understood the importance of security, making it easy to open garage doors anywhere in the world, for example.
• the government now has a toolbox for red teaming. [DUTCH]
• another toolbox steals credentials for eighteen cloud services.
• a hacked phone system steals passwords from browsers.
• Telegram is a marketplace for phishing tools.
• biometrics is not automatically safe a safe technology.